END-USERS SECURITY ACCEPTABILITY
In October 2013, the British newspaper “The Guardian”, based on information disclosed by Edward Snowden, revealed that 35 world leaders’ phones were tapped by the NSA. In Jun 2015, “Médiapart” and “Libération” revealed that the NSA has eavesdropped the French presidents’ conversations on their mobile phones at least between 2006 and 2012: this comes as a confirmation that VIPs are special targets for malicious actors! Surveys conducted on managers of companies or administrations show only a tiny part (5%) cares enough about security matters to accept its constraints: such as using a very secure but slower or less functional product than the latest iPhone or Samsung. Among this population, for which security matters, we find people who have been made aware by their previous jobs (for example former military officers) or naturally wary people, who know their phones might be tapped and want to be protected. The challenge is then to convince the remaining 95%! The problem is the majority expects mobiles to be at least as efficient and with the same amount of functionalities as the ones on the market right now. When they are presented with a highly secure product but less powerful than their stock mobile, habits take the lead and the secure mobile is quickly left aside for an Android or iOS system, merely for lifestyle or usage patterns matters. For instance, VIPs can send extremely lengthy SMS messages (instead of sending e-mails), which is not supported by security applications of all systems. Another example is slow devices or mobiles without sufficient autonomy for VIPs’ usage (15h to 20h of communications per day, which is significantly heavier than average). Yet, these VIPs expect their mobiles to have resources and usability at least as efficient as mainstream devices. High-level security, including user encryption keys management, is, for now, considered to be a technical gap for most manufacturers. This should not prevent educative demonstrations for VIPs. For instance, setting up a fake WIFI access point, for a demonstration held by experts (among which the ANSSI is represented), generally raises the awareness of the most reluctant audience to protected devices…
Security should hence be taken into account from the beginning in the conception of devices and integrated in the most user-friendly way for the security induced inconvenience to become acceptable.